Twitter may have sent your private DMs to the wrong people -- but probably not

The bug ran for more than a year, but it's been fixed.

Abrar Al-Heeti Technology Reporter
Abrar Al-Heeti is a technology reporter for CNET, with an interest in phones, streaming, internet trends, entertainment, pop culture and digital accessibility. She's also worked for CNET's video, culture and news teams. She graduated with bachelor's and master's degrees in journalism from the University of Illinois at Urbana-Champaign. Though Illinois is home, she now loves San Francisco -- steep inclines and all.
Expertise Abrar has spent her career at CNET analyzing tech trends while also writing news, reviews and commentaries across mobile, streaming and online culture. Credentials
  • Named a Tech Media Trailblazer by the Consumer Technology Association in 2019, a winner of SPJ NorCal's Excellence in Journalism Awards in 2022 and has three times been a finalist in the LA Press Club's National Arts & Entertainment Journalism Awards.
Abrar Al-Heeti
2 min read
Getty Images

A Twitter bug may have sent some people's direct messages to developers who weren't supposed to get them, the company said Friday.

Twitter said it discovered the bug in its Account Activity API (AAAPI), which lets registered developers build tools to help businesses communicate with customers. Users who interacted with accounts or businesses that relied on developers using the AAAPI may've had their direct messages or protected tweets sent to the wrong people. For example, a direct message to an airline about lost bags may've been accidentally sent to the wrong recipient.

In a statement, Twitter said it was "very sorry this happened."

The issue began last May. Twitter said it issued a fix when it discovered the problem on Sept. 10, 2018. The bug affected less than 1 percent of users, the company said. 

"Any party that may have received unintended information was a developer registered through our developer program, which we have significantly expanded in recent months to prevent abuse and misuse of data," Twitter said in a statement. 

The company said it'll contact people directly through an in-app notice and on Twitter's site if their account was affected by the bug. 

Some Twitter users got messages like this about a bug that may have sent their DMs to the wrong recipient.

Some Twitter users got messages like this about a bug that may have sent their DMs to the wrong recipient. 

Screenshot by Stephen Shankland/CNET

Some users tweeted screenshots of the notifications they'd received from Twitter. 

"Sorry, what ?! My DMs may have been sent to developers for a more than a year??" Mashable reporter Karissa Bell tweeted.

In a tweet, Twitter said: "We haven't found an instance where data was sent to the incorrect party. But we can't conclusively confirm it didn't happen, so we're telling potentially impacted people about the bug. If you were potentially involved, we'll contact you today. We're sorry that this happened." 

In another tweet, the company emphasized that "this only involves potential interactions or Direct Messages you have had with companies using Twitter for things like customer service. Your other DMs are not involved at all."

Twitter said it reached out to developer partners to make sure they delete any information they shouldn't have. 

"Our investigation is ongoing," Twitter said in the statement. "We will continue to provide updates with any relevant information."

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.